Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to graph the sum of field A where field B=TRUE...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question is the simple case of one set of conditions. My goal is to line graph (4) variations in one chart:
sum field A where field B=TRUE and field C=FALSE as outbound
sum field A where field B=FALSE and field C=TRUE as inbound
sum field A where field B=TRUE and field C=TRUE as internal
sum field A where field B=FALSE and field C=FALSE as passthru
pipe into a timechart by day.
This working Splunk search charts the number of records that satisfies each of the 4 tests, but I can't figure out how to sum the Field A (producer_filename_bytes) of those matching records to line chart the 4 cumulative bytes of each?
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed | timechart per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="FALSE")) AS TotalOutbound,
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="TRUE")) AS TotalInbound,
per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="TRUE")) AS TotalInternal,
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="FALSE")) AS TotalPassThru
Thanks very much! -Marc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed
| eval Outbound=if(producer_is_internal="TRUE" and consumer_is_internal="FALSE",producer_filename_bytes,0)
| eval Inbound=if(producer_is_internal="FALSE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval Internal=if(producer_is_internal="TRUE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval PassThru=if(producer_is_internal="FALSE" and consumer_is_internal="FALSE",producer_filename_bytes,0) |
| timechart per_day(Outbound) as TotalOutbound per_day(Inbound) as TotalInbound per_day(Internal) AS TotalInternal,
per_day(PassThru) AS TotalPassThru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed
| eval Outbound=if(producer_is_internal="TRUE" and consumer_is_internal="FALSE",producer_filename_bytes,0)
| eval Inbound=if(producer_is_internal="FALSE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval Internal=if(producer_is_internal="TRUE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval PassThru=if(producer_is_internal="FALSE" and consumer_is_internal="FALSE",producer_filename_bytes,0) |
| timechart per_day(Outbound) as TotalOutbound per_day(Inbound) as TotalInbound per_day(Internal) AS TotalInternal,
per_day(PassThru) AS TotalPassThru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2! That works perfectly. Really appreciate the assist.
FYI to others, remove the second pipe ahead of the timechart command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @marcoeur5
Glad you found an answer through @somesoni2 🙂 Don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote his answer for helping you out.
Cheers
Patrick
Fun with Regular Expression - multiples of nine
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
What’s New & Next in Splunk SOAR
